From d8885981fa9ff1ccf92d33de466e3338ecbcff82 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Mon, 9 Jul 2012 14:00:00 +0000
Subject: [PATCH] Remove inherited thread local from RAP

git-svn-id: https://svn.argeo.org/commons/trunk@5421 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../java/org/argeo/security/ui/rap/SecureEntryPoint.java   | 7 ++++++-
 .../WEB-INF/security-filters.xml                           | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
index 10dced4b3..233971687 100644
--- a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
+++ b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
@@ -140,7 +140,7 @@ public class SecureEntryPoint implements IEntryPoint {
 					return new Integer(result);
 				}
 			});
-			logout(loginContext, username);
+			//logout(loginContext, username);
 		} finally {
 			display.dispose();
 		}
@@ -194,6 +194,11 @@ public class SecureEntryPoint implements IEntryPoint {
 
 	protected void logout(ILoginContext secureContext, String username) {
 		try {
+			HttpServletRequest httpRequest = RWT.getRequest();
+			HttpSession httpSession = httpRequest.getSession();
+			httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, null);
+			RWT.getRequest().getSession().setMaxInactiveInterval(1);
+			SecurityContextHolder.clearContext();
 			secureContext.logout();
 			log.info("Logged out " + (username != null ? username : "")
 					+ " (THREAD=" + Thread.currentThread().getId() + ")");
diff --git a/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml b/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
index a4f0aeb9a..cfe148bd6 100644
--- a/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
+++ b/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
@@ -12,7 +12,7 @@
 				filters="session,basic,rememberMe,exception,interceptor" />
 			<sec:filter-chain pattern="/basicauth"
 				filters="session,basic,exception,interceptor" />
-			<sec:filter-chain pattern="/node" filters="session" />
+			<sec:filter-chain pattern="/node" filters="session,exception,interceptor" />
 			<sec:filter-chain pattern="/public"
 				filters="session,anonymous,exception,interceptorPublic" />
 			<sec:filter-chain pattern="/j_spring_security_logout"
-- 
2.30.2